CVE-2015-0311 debug notes

This is my first time to analysis the flash sample.
And I will show some skills and experience how to analysis the flash sample.
—-
(1) root cause analysis
ApplicationDomain.currentDomain.domainMemory will point to a global array we defined.
When we do some operation on this array, some exceptions will happened.
we first compress the array,
then we corrupt the array, after this, we uncompress the array, because the data in the array we changed, it will failed, and it has not notified the domainMemory,
So the domainMemory still point to a old array we has free.
Note: we can find the code in the avmplus(open source).
—-
(2) how to start
First we need to find the functions in the flash binary.
It’s hard for us to do this, because it has no symbol table.
And when run the actionscript, the code always jitted.

a Hook setJit|setNative
The param always [method_id,proc], the proc is the address of the jit or native code.
b In the hook point, we call the getMethodName, so we can get the method name.
Then we can get the names according the method id.
c now we can make the breakpoint on the proc of the addr then start analysis.

After we get the infos, it’s easy for me to make the bp and find the addr in the ida pro.

(2) how to exploit
The steps.
a make the whole memory read|write
we use the casi32 ins to update the vector’s length to achieve this.

b try to leak the module addr
In the heap spray memory, we fill with the this point.
then we can find the main’s vtable addr.

c create the rop code in the memory
b change vt
we update the main’s vtable addr.
c call vt
we call toString()
—————————————–
Following is the poc code from metasploit
I test in the win7+flash 16.0.0.287